Tuesday, December 10, 2013

Unknown EK - Analysis

I went away for the week-end and when I got back Sunday night I was curious to what this could end up being. Kindly as always @Set_Abominea shipped me a very nice pcap of what was seen over at his place and from there I wanted to go the usual way and try to pick this thing a part.

Luckily this kit was quite simple and it did not take much time to figure out what these bad guys where up to. No JavaScript obfuscation, no payload XOR or encryption.
Warning: the bad stuff is still alive so take precautions necessary if you engage it on your own.

So just some cookie stuff and then it writes an iframe tag. How convenient. Oh and of course with=0 and height=0. So we are not supposed to see it after all.
Time to fetch what we are not supposed to be looking at in that iframe:

As reported, it utilizing the vulnerability from CVE-2013-2465. Yes that is the 0-Day for Java 1.6.45 that will never get patched. A lot of EK using it so patch-patch-patch(If you have not already).

The JAR archive also had a couple of embedded files. One was a configuration file and the other an exe file.

Here is how the embedded file is written to disk.

The Java code also checks weather it is in WIN or UX land

Reading the properties from the config file

And the file is executed as well

Even if this particular walk through of the kit did not download malware with the Java code. It seem like the code is capable of doing so. It also seem like that is configured through the embedded properties file, as we saw earlier that is probably decided with the property name URL.

In addition the pcap from @Set_Abominea contained download of an exe file

I fetched it manually as well, but could not find trace of that in the Java code. Could be fetched with the malware payload it self though. Strange user-agent at least.

MD5 and virustotal was covered in the paste linked in the tweet. I got exactly the same files 3 days later when I fetched them manually. So no need to repeat that here.